Sign up for our weekly security newsletter

Microsoft Denied XBL Hacking, Show Possibility of Account Compromise

Microsoft has repeated that XBL (Xbox Live) network wasn't hacked, but it has accepted through Major Nelson, the official blogger for the company, that its XBL support staff may have put security into risk. Microsoft alleges that it is currently in the mid of re-training its staff to ensure the safety of customer account data.

In the March third week, rumors of hacking of XBL, the well-known service by Microsoft, were in the air. Some users asserted that they have been charged for products they never bought. It would seem to point that cyber-crooks were able to access the users' account details. Microsoft was sure that the XBL network had not been compromised.

Larry Hryb, programming director of XBL, explains on his Major Nelson blog, when he first came to know about the XBL hacking story, he checked it with people on his end and then posted a blog about it. As initially posted, XBL hasn't been hacked and it still holds true. Kevin Finisterre, a security researcher, didn't identify a hack but he discovered the fact that certain user accounts may have been exploited by 'social engineering', or 'pre-texting', through the company's support center. Kevin gave Larry a call directly and once he realized what the matter is (Kevin sent him some painful-to-listen audio files), he confirmed that the team is completely aware of the problem. The company is analyzing the policies, and the re-training of support staff and partners has already started to decrease this kind of social engineering strikes.

The software biggie forced that probably only a few accounts have been compromised and that the claims of some group to have thieved ten accounts per day are probably bluster. Microsoft also stated that its present authentication methods for the confirming the customers' identity calling into support center should work, but some support staff will have to undergo retraining.

Microsoft expressed gratitude to Finisterre for bringing this issue to its attention. Hryb said in a statement reported on March 26, 2007 by SecurityFocus that a maintenance outage is slated for March 27, 2007 but it is not related to account pilfering issue in any way.